When my site's traffic started to ramp up, I want to secure the configuration a bit and prevent outsiders from the Internet from accessing my ghost admin page if they are not in the internal network.
This can be easily done by ingress-nginx without meddling with the theme or codes of Ghost.
You can simply modify the Ingress configuration by either using Kubernetes Dashboard, or by hand ending via:
kubectl edit ingress <example-com>
And add the following HTTP snippet into the annotation part of the configuration:
Once saved, kubectl will verify the configuration and make it effective immediately.
And you'll get a 403 from NGINX like below:
The URL can still be accessible via the internal network, if you
- Configure another secret Ingress for ghost admin.
- Secure it using another annotation for a second ingress with a different URL:
- Add a Ghost admin URL by modifying the ghost deployment like below:
- Finally, in order for the whitelist for ingress-nginx to work, you will need to modify the externalTrafficPolicy for the ingress-nginx-controller service to Local by:
And now you can access your admin console if you:
- access the admin URL by https://securecname.example.com/ghost/, and
- are within the whitelist network that you have specified.